search

abpframework / abp

Open-source web application framework for ASP.NET Core! Offers an opinionated architecture to build enterprise software solutions with best practices on top of the .NET. Provides the fundamental infrastructure, cross-cutting-concern implementations, startup templates, application modules, UI themes, tooling and documentation.
https://abp.io
GNU Lesser General Public License v3.0
12.76k stars 3.41k forks source link

Suggestion: add anti-XSS measures #8628

Closed fokkog closed 3 years ago

fokkog commented 3 years ago

After doing some POC development with ABP Framework I am greatly impressed, finding it a tremendous productivity booster. One thing I did notice is that the DataTables grids I initially ended up with show unencoded data. This is visible in the starter template, by entering this role name: <script>alert('xss');</script> This is also visible in the tutorial results, by entering this value as a book name. In both cases the JavaScript gets executed and the alert gets displayed.

One way to prevent this is to add a render function for data columns (see also https://datatables.net/manual/data/renderers#Text-helper): render: $.fn.dataTable.render.text()

Version: 4.2.2 User interface: MVC / Razor Pages Database provider: n/a Exception message/stack trace: n/a

maliming commented 3 years ago

See https://github.com/abpframework/abp/issues/8114

fokkog commented 3 years ago

My bad for raising a duplicate issue. I did a Google search and found nothing, should have done a GitHub issue search.

realLiangshiwei commented 3 years ago

We should var name = '<span>' + $.fn.dataTable.render.text().display(data) + '</span>'; //prevent against possible XSS https://github.com/abpframework/abp/blob/0c89ff55a22f33b786b316851a9d60cfff66cd01/modules/identity/src/Volo.Abp.Identity.Web/Pages/Identity/Roles/index.js#L87